hckrnws
There's 2 things when it comes to security:
Companies are responsible for their own security. You cannot try to hack them without their permission. Security researchers who do something like test the security of a car without the permission of the car manufacturer (like in this post) are committing a felony.
Also, companies are not responsible (liable) for their own poor security. If they do something like leak the private data of half the nation--shrug--what can you do?
How convenient for companies. It's literally a matter of national security; our national security is made worse by this status-quo, but at least companies aren't bothered by unwanted security researchers.
We need to pick a lane.
If companies want to be solely responsible for their own security, then they should also be solely reliable for any damages done by their own poor security.
Or, we can recognize that security is really hard and make it a team effort and setup laws to protect security researchers, and then special "events" wouldn't be needed for security research; anyone could test the security systems at any time, and especially people would be able to test the security of devices they own.
>Security researchers who do something like test the security of a car without the permission of the car manufacturer (like in this post) are committing a felony.
citation needed
> Companies are responsible for their own security. You cannot try to hack them without their permission. Security researchers who do something like test the security of a car without the permission of the car manufacturer (like in this post) are committing a felony.
Not a single sentence here is correct.
It's phrased weirdly, but the op is describing an idealized status quo as would be seen from a corporate standpoint. It was meant to contradict itself and thus:
>We need to pick a lane.
I imagine op would likely agree it isn't actually that monotoned and this was done for rhetorical purposes.
I think you need to expand here. My understanding is that there is a lot of law you can fall foul of pen testing and sharing vulns on products of companies you don't work for.
Tangent but I have a 2016 Toyota 4Runner. Great car and fits my family and needs perfectly. The key fob broke so I needed to get a replacement, I got a blank and had a locksmith cut and program the blank. He must have not done it right because it worked and then I got stranded cause it must have lost its pair to the car or something. Nothing wrong with the vehicle, the engine wouldn’t start because of the key. I do road trips through the desert SW and other remote places, if I have the key I need the car to start no matter what. I really don’t want my keys to require a battery either. I wish there was a way to bypass the rfid/BLE or whatever it is.
You can disable the RFID by manipulating the right bits in the ECU’s anti-theft EEPROM. Something that’s done with imported engines from Japan for sports car engine swap; they usually come with wire harnesses and ECU but no key. I know how its done for the imported 3SGTE engine ECU… I’m sure it’s not too different for the 2013 4Runner. Though, Toyota makes some newer ECUs nearly impossible to open without damaging the circuit board and anti-theft bypass requires physical access to the EEPROM.
Edit: RFID should not need battery…you can reprogram your own key by jumpering the correct OBD2 pins..process takes about 20 minutes…
If you even rarely get into situations you describe, saving on a freakin' key fob and not going via official dealership is supremely... not smart.
What you describe would be exactly reason #1 I would immediately say to anybody on topic of why not saving desperately on such a thing, despite never being in such situation myself.
Sometimes learning from other's mistakes should be enough. No, mostly it should be enough.
Did you get a genuine key? I never had one fail on me.
The immobilizer is the single best piece of technology for preventing car theft. If you create a backdoor for bypassing it, you'll end up like Hyundai/Kia which decided to sell cars without the immobilizer in recent years and which have turned into a joke in the minds of potential customers.
It does not require a battery in most cases and is separate from the keeloq system that controls your car's doors.
The Stellantis systems I’ve worked on have a nice feature that there is a battery for the proximity use, that you can keep the key in your pocket and press the button to run the car, as long as the key is within the four or five proximity sensors you are fine.
When that battery dies, you can press the directly to the start button and it uses a “receiver powered transmitter” RFID close proximity to start and run the vehicle.
Most people don’t know this, so when that battery dies they panic and suffer.
This technique of pressing the dead key to the starter button works for quite a lot of brands, not just Stellantis vehicles. Always worth trying if you are in a "keyless" car with a dead key fob battery.
In my experience virtually everything made in last 15 years will either support this RFID backup or have a spare physical key hidden inside the keyless fob.
Lots of them will even let you press the dead key against some part of the exterior to unlock the doors too.
What is funny to me is that before the proximity and push https start… the keys had RFID and an antenna at the lock cylinder anyhow.
They just left that same antenna in place (in Chrysler+ anyhow, called SKIM) now as a backup instead of the primary.
for my 2016 Mazda, the keys do not need a battery to operate.
you instead need to hold the fob up to the start button and it will work passively, rather than just being in the car normally. Glad they still give manuals with cars as I had to learn that without service.
There are three systems to the key, the doors and remote start, the “passive entry” which requires the battery, and the backup RFID you’re talking about.
That's great, but the writing is still on the wall if Toyota doesn't get serious about electric cars.
With their current trajectory Toyota is headed at 1000mph directly towards being the next Blackberry, Kodak, Nokia or Blockbuster.
I say this as someone who owned a Prius for 10 years and loved it, and have also driven their hydrogen car. The BZ4X is badly named overpriced garbage, not enough and not good enough. The clock is ticking and they have to act yesterday to avert disaster and they're sitting their twiddling their thumbs.
Currently Tesla is the iPhone to Toyota's Nokia and they're going to have to work very hard very soon to turn that around or their company will die.
The iPhone did everything the Nokia 3310 did, better. Electric cars do not (yet) do better some things hybrids do, such as being able to be fuelled with 400+ miles of range in 5 minutes.
I’m nowhere near the point of wanting an electric car to replace my hybrid. The convenience of petrol and the cost of electricity is too high. High electricity costs aren’t going to be fixed in my country any time soon so Toyota will continue to have a huge market here.
Most EVs these days can recharge 300ish miles in 15 mins, but 99% of the time I don’t even have to drive anywhere to refuel as it get recharged overnight in my garage. EVs are waaay more efficient in terms of MPGe so at least for me it is less half in terms of cost to refuel compared to petrol not even considering the external cost of emitting CO2
15 minutes is still not as good as the 2 minutes it takes to fill up a gas tank. Electric cars just aren't there yet for long drives, though they are great for everyday driving around town.
Very little maintenance is one big feature. After 3 years I have only had to change the tires, air filter and windscreen wipers.
For long road trips I’ve never had an issue stopping to rest/stretch while fast charging for between 15-30 mins.
Sure, but we are talking about a Toyota so there is (at least in my experience) not that much maintenance to begin with.
Toyotas may need less repairs than other vehicles, but of course they have the same maintenance schedules and costs as other vehicles.
Compare periodic oil changes, spark plug changes, ignition coils, stolen catalytic converters, exhaust system, PCV system, air and fuel filters, brake pads, transmission fluid, and other ICE maintenance items with the electric drivetrain. At 120,000 km I've replaced the tires once and the brake pads look brand new. That's it. Even the windshield wipers are still in good shape for some reason.
Oil filters and brakes are on the easier spectrum of maintainenance, but I’d still rather not do them if I don’t have to (which with my EV, I won’t)
The iPhone actually had way worse battery life than basically any Nokia. It’s a great comparison. People happily traded more features for having to plug their phone in every night.
iPhone also had same modem as everyone. It wasn't a Wi-Fi device, it was a phone-computer hybrid.
Compared to that, EVs feel more like Wi-Fi or WiMAX device that owners would say theirs are daily drivable but only make Discord calls. Overall situation more closely resemble PDAs before iPhone.
Just make sure you don't drive one, or you'll change your mind.
We’ve been driving them for over a decade now. They aren’t new anymore, and they still aren’t a panacea. There is this cool thing called car rental, it lets you use cars that aren’t your own.
There's also this thing called reading comprehension, I don't know where you can rent it, but sometimes it does help on online forums.
There’s also a thing called repeating a joke format for effect. And it’s not a very good effect.
I can see that.
Wait was your original comment being sarcastic? Because if so, spot on. They really do be speaking like that.
It's weird right? I get that Nokia honestly couldn't see it coming, it was basically the first in recent history. Too much too fast, RIM included.
But all the bigwigs currently in Toyota are the age to have seen and lived that transition. It's not like they're new to battery tech.
And they say - wow look at that... nah, let's build hydrogen.
Toyota moves more slowly than many other brands because of their company culture/philosophy.
To your point about BEVs, Toyota started producing BEV batteries at their plant in North Carolina this year: https://www.toyota.com/usa/operations/map/tbmnc
EVs are trash compared to equal price gas car. For example if you compare camry with a similarly priced EV, BYD or Tesla doesn’t have quality/reliability at the same level
Don't they have a RAV4 EV coming Fall 26? Thats one of their top models. With new generation design that looks nice! They seem pretty serious if they are putting their signature model into EV production. Not to mention their other EVs launching in 2026.
Have Tesla released any new models? The hot thing that people are waiting for right now is not really a new model, its the return of the turn stalk. I mean I get that they sell well because there is lack of options but if you take a step back, this is clown company behavior.
> That's great, but the writing is still on the wall if Toyota doesn't get serious about electric cars.
Toyota is following national direction where natural resources are scarce, including generating electricity. It's actually government's idea to chase hydrogen as a viable alternative to dyno juice.
>With their current trajectory Toyota is headed at 1000mph directly towards being the next Blackberry, Kodak, Nokia or Blockbuster.
Lol absolutely not. Toyota is well positioned with their hybrids while also having EV in the pipeline. Have in mind that great majority of world population has no viable means to charge their cars either reliably, cheaply or at all. Hybrids make great sense in great majority of use cases.
> Currently Tesla is the iPhone to Toyota's Nokia and they're going to have to work very hard very soon to turn that around or their company will die.
Oh FFS
This is hilarious projection of your preferences and market predictions onto every other consumer.
I bought a 2024 Toyota hybrid. I don’t care about electric vehicles and won’t bother reinvestigating them until 2034 at the earliest. I don’t see the problems with electric vehicles being solved anytime soon in the US.
Tesla is not the manufacturer to beat.
Currently EV's are the iPhones to Toyota's Nokia and they're going to have to work very hard very soon to turn that around or their company will die.
Fixed that for you. I give Tesla another 2-5 years before their number is up and they'll limp along and become another also ran.
There's no way they can compete with what's to come and even what's happening now.
I have some friends, who are definitely not HN readers or avid followers of the EV market, and they've already swapped out their Teslas for BYD. It didn't take much for them to make the move. And what's coming is already far beyond what Tesla have on the table.
They had a good ride. And definitely should be credited with being the starting gun on one chapter of automotive revolution. But it's over for them (in the EV space). They know it too ... hence their attempted pivot to ... * insert flavour of the month*
> That's great, but the writing is still on the wall if Toyota doesn't get serious about electric cars.
It seems they know what they are doing. Toyota is a very profitable car manufacturer, with profit in 2024 more than Tesla and Volkswagen combined. Unlike Nissan, the maker of the best selling EV of all time, who is struggling very hard.
Tesla sells nearly as many cars in a quarter (497,099 in Q3 2025) as the Leaf managed in its entire lifetime (577,000 between 2010 and 2022).
I stand corrected, the Leaf figure was wrong. Nevertheless, Toyota is very profitable despite (or because?) it does not sell a significant number of EVs. Margins on EVs are currently extremely low or even negative, and that is hurting EV manufaturers more than ICE manufacturers.
Is the hating Tesla tantrum over?
That being said, you can’t really compare the sales of all of Teslas to the sales of one specific form factor/model with any kind of seriousness. Nor do I think it’s a fair comparison to compare Tesla that has parted on various hype patterns over the years to tap the zealots into even becoming their free advertisement and marketing departments not unlike how Apple fanboy cult people at least used to be. Toyota is a mature, reasonable enterprise whose sales are orders of magnitude larger than Tesla’s and there are many people’s lives dependent on being reasonable when shifting things, not “disrupt” in a typical tech bro narcissistic way.
For context Tesla has roughly 2 million sales with 125,000 employees, Toyota has 11 million sales with 385,000 employees. I assume I don’t need to do the math for you.
And that’s without going into the various battery issues and the now conflicting electricity interests between EV and AI.
The Toyota number is very misleading because dealership employees don’t have Toyota badges; they have Dave’s Hometown Stealership badges. Tesla store employees have Tesla badges.
You’re counting customer-facing employees for Tesla and leaving them out for Toyota.
95% (actual percentage) of Teslas sold are Model 3 or Model Y, so one can cut that sales figure in half and still reasonably compare to the sales of another model.
>And that’s without going into the various battery issues and the now conflicting electricity interests between EV and AI.
I do not understand what this means. Isn't the same gas used to power vehicles used to power turbines that provide electricity?
Toyota won't build BEVs in scale, nor will most of the Japanese brands. They can't.
Japan can't build the batteries for BEV's at the necessary scale for global production. Yes China controls lithium but they also control some 95% of global battery grade graphite production, and anywhere from 60% to 90% production of manganese, cobalt, and nickle. Not to mention all of the components that those produce like the anodes and cathodes.
And the big problem with that is the Japanese genuinely fears there's going to be a war in the pacific. A big one. Fearful enough that Japanese government allocated $320 billion USD to be spent from 2024 to 2029 specifically to turn the JSDF into a proper military, and establish and sustain a new domestic military industrial complex.
The main flashpoint the Japanese are afraid of is a Chinese military attack on Taiwan, which leads two major possibilities. Either the US intervenes with the military, or it does not.
If the former, then China has to find a way to take away as many of the US Navy's advantages as they can. One of which is the major resupply facilities for the US 7th fleet in Yokosuka. Push comes to shove then I have little doubt that the Chinese will launch missiles into the Japanese harbors to deny the USN and JMSDF capability of repair and rearming via kinetic means. But I'm certain they'd prefer to pressure the Japanese into reducing or removing the US presence from Japanese docks.
Pressure like say being able to potentially cripple 10% of Japanese GDP that's in it's automotive sector if hypothetically Japan was dependent on Chinese exports of BEV batteries. Not exactly with precedent either; China tried to cut off Japan from rare earth metals once (admittedly that backfired on China) and China's recently put on export license restrictions on graphite.
Like it or not, the Japanese know it, the Chinese know it, and even the US is fully aware of it. The US is right now building new US navy bases in the Philippines just in case Japanese harbors become denied to the USN. Also why the Japanese are building up it's capability to strike not just far off Chinese naval assets but potentially into the Chinese mainland as well; the first an order for 500 US made Tomahawk missiles are already being installed right now on JMSDF destroyers.
On the other hands, if it's the former and the US chooses not to intervene... well it's gonna get very lonely for Japan out there all by itself.
You know the really sad part though? The Japanese were relenting a bit because they signed the US Japan Critical Minerals Agreement in 2023 which in effect promised no undue burden for the Japanese to get access to critical minerals. They just didn't dive head in because it was signed under the Biden administration.
Given the Trump administration's open hostility to BEV's, his erratic trade policies, and his open musing about withdrawing from mutual defense agreements (normally NATO but not a stretch to think he'd extend that to the Japanese US one as well I don't think they've made the wrong choice. Or rather more accurate that it's the least risky choice out of a bunch of awful choices.
China is in the process of crippling 10% of Japan's GDP in automotive, just by building EVs and EV components and selling them to other nearby countries where Toyota (and other Japanese brands) currently dominate and hae vchosen not to compete in this new format. So we don't need Tom Clancy to generate scenarios where this will be bad for Japan.
Exactly. Look no further than Thailand, long a bastion of both Japanese car manufacturing and Japanese cars locally:
https://www.ft.com/content/e33a2cbf-9a7e-4964-8914-c129d2947...
The absolute numbers are still small, but as momentum shifts to EVs, Japan's market share will collapse.
[dead]
Why make electric cars when you can bribe politicians to tax EVs and promote hybrids?
Are you talking about Toyota or every german automaker ;)
Or even US government? (by removing incentives)
Removing incentives is not "taxing EVs", it's leveling the playing field. If EVs can't compete without the competition being tilted in their favor, they aren't up to scratch yet.
Comment was deleted :(
I'd say the EU manufacturers are in an even worse position than Toyota as their electric lineup isn't great and they have massive reliability problems on both ICE and BEV cars unlike Toyota.
Currently they only survive in the EU thanks to tarrifs on Chinese cars.
And I would say the opposite about Tesla, they experienced the biggest selling drop of all brands combined, if there's one brand going to crash first, I'd bet on Tesla.
Can you elaborate on (or link to some resources on) EU manufacturer quality issues? I have a hunch I know what you mean but I’d like to know more.
Really? I think Renault are on a roll at the moment.
The Renault 4, Renault 5 and Megan seem really competitive.
The new Nissan Leaf (made in UK) also looks pretty good.
VAG seem to have lost the plot (“let’s replace all the controls with a small, janky touch system that leaks personal information to hackers”) but their ID.7 isn’t total crap.
Comparing Renaults to the Chinese brands I’ve seen (MG and BYD) the Chinese brands were a bit cheaper but they really felt it with cheap interiors and uncomfortable seats. I’d rather pay a grand more and get a car I like.
I have a BYD Seal and it's by far the most luxurious and best quality car I've owned, and my previous car was a Mercedes. I don't know what you've tried, but it doesn't feel cheap at all
I only buy mass-market cars. I've looked at MG 4s, 5s and BYD Dolphins. I didn't rate any of them.
I view all cars as depreciating liabilities and so have little interest in buy either Seal or its Mercedes equivalent.
ID.7 is the most sold EV model in EU so "not total crap" is an interesting definition. Other ID models are selling well too
What's your source? it's the 5th in this ranking I found: https://autovista24.autovistagroup.com/news/europes-best-sel...
Comment was deleted :(
What are you on about though? EU EV sales are through the roof and pretty much all brands now have good EV cars.
Got
My brother had his car (a sleek AUDI) stolen in front of his house. He left the key in the entry hall, and someone extended the range.
Are current electronics (the consumer ones) good enough at scale to limit the time the round-trip car-key-car takes?
How does that work?
Once they have driven 100m what happens?
UWB, used by CCC keys (iOS and Android; UWB might be optional for Android?) definitely is — TOF distance precision in the inches.
FYI - the inclusion of UWB (specifically the FiRa consortium secure ranging standard) was not part of the CCC Digital Key specification until v4.0.0, which only left its draft state very recently, at least in terms of automotive security standards.
I am curious if any Teslas have ever been stolen by being able to duplicate the Tesla key.
Is app + Bluetooth or the NFC cards inherently more secure than traditional key fobs?
I think a fundamental problem is that keys aren’t security forward compatible - break the keys and you’ve broken an entire generation (or more) of cars.
The only solutions I can see are software based keying and a mobile app or legally enforced security guarantees.
But the car manufacturers don’t give a fuck if your 3 years and one day old car gets stolen. You move to the next competitor, only for the same to happen in just over three years time. Repeat. Repeat. Repeat.
I think the problem here is that traditional keys expect physical security, and this expectation is broken because key fobs are now wireless and thieves have range extenders. I thought the best practice here is to store the wireless capable key fobs inside Faraday cages when they are not in use to restore physical security.
>The only solutions I can see are software based keying and a mobile app or legally enforced security guarantees.
Wouldn't this require the phone to be trusted and not run unsigned software?
The software part is a solved problem - this is how the web is secured. There would be an exchange of keys with the car, and done.
This does not solve the problem of the timing (but the sibling comment explained that this one has a solution)
Electric cars are theft proof. No car thief would steal an electric car.
I don't understand the downvotes. I am just curious about whats the rationale. If there is a counterpoint, please downvote by all means, but make the point so I learn how to think better!
No explanation or elaboration on your claim that electric vehicles are theft-proof
I thought it was obvious. Charging (scoping just to US) has some difficulties. First, you need to know how charging works (110V vs 240V vs DC fast charging) and also understand what kind of charging the car you are stealing supports: https://www.power-sonic.com/ev-charging-connector-types. Also understand the various apps that are needed for different cars and how they work. The thief most likely may not have charging at home or at work (if they have a place of work, I'd assume they are not working at FAANGs, which have 2 - 3 EV chargers at each location). Then, when they are chased by cops, etc, they will eventually run out of charge. They can't do a quick pitstop. When they are charging, lets say at a Tesla station, the car may be electronically identified. But, most importantly, the media instills a fear of electricity (you can't find electricity anywhere except these things called EV charging stations and there are very few charging stations) and electric cars. Everyone is worried about range (range anxiety).
You're assuming so much that is wrong. Thieves don't know how to use technology?
They can't use a charger? (I imagine they'd wire one to an also stolen generator)
Then you assume they're gonna be in a car chase? That's not how most stolen vehicles end up.
Afaik most stolen vehicles either get quickly parted out at a chop shop, or are sent across a border (driven across borders or container shipped to another country), or used for other crimes, or they're joy rided around then abandoned. Basically all things you could easily do on a partial charge with a modern car mechanics skills.
A good starter would have been running the keyfob data on a different CAN line than the one going into the headlights... you know, the one you can reach with your hand from the outside.
Then we could also talk about encryption, but at least making it a tad more difficult to have physical access.
Not that toyota is the only one. If you ever notice a car that has a reinforced grill protecting the front RADAR, or the rear lights... now you know why.
The CAN bus, the network interface vehicle components use to communicate was, at least as of a few years ago, the source of basically infinite vulnerabilities.
Add in over the air updates or worse, updated bluetooth or radio firmware and you find things like stopping a vehicle remotely at highway speeds[1]
[1] https://fractionalciso.com/the-groundbreaking-2015-jeep-hack...
The people behind that stunt were immediately hired by GM.
Comment was deleted :(
IIRC, many TPMS systems run as CAN over IP, basically giving unsecured network access to a car if it thinks it's talking to a TPMS. Granted that some/most these sensors typically have to be "paired" with a car using a scantool (sometimes), but IIRC, some are self-pairing creating a vulnerability where the legit sensor could be replaced with a hostile one. Also the possibilities of spoofing, sniffing, and/or packet injection seem real too.
I know the receivers are often in a vulnerable position. But, on my 2008 era car- the code I've seen for SDR decoding is a broadcast MAC, pressure and a temp value.
>IIRC, many TPMS systems run as CAN over IP,
I’ve been in this industry for 20-some years not a single system I’ve ever seen operates like that.
CAN over IP does not exist invehicles. IP over CAN doesn’t exist at all. UDS over IP does, but this is automotive Ethernet and an entirely different discussion.
The laptop in the second picture looks very nice. Thinkpad? Anyone knows what model this is?
Or we could make Toyotas tunable like many other brands. I would love to tune my Tundra like I could tune my GTI. The mid 2010s after market super charged Tundras were so cool!
Car companies would benefit from hiring thieves in the dark web. There were always toolkits on sale as well. So they could just investigate what is being done to steal the cars and patch it. I suppose a good bounty program would help as well as the tech savvy thieves would have a choice to get a bug bounty instead of ganging up with other criminals. Sort of divide and conquer.
Automotive Pentesting has been an industry for years [0][1][2]
[0] - https://www.praetorian.com/services/automotive-penetration-t...
[1] - https://plaxidityx.com/
[2] - https://autocrypt.io/
I love when companies openly embrace their security vulnerabilities rather than hide behind them, cough Kia
The legacy automakers have been cramming ever more ECUs into their cars, at a considerable cost expense. Tesla did something different with the big screen and one 'big computer' rather than a bevvy of ECUs. This appears to be the design pattern going forward, as evidenced by VW's investment in Rivian, where they also go for the 'big computer' approach.
It seems to me that the security of Tesla cars is pretty good, compared to that of the legacy automakers. You can't hotwire a Tesla.
Securing one computer is relatively easy when compared to the challenge of securing a veritable forest of hardware, as made by numerous suppliers.
Regarding the way that general attacks on car security systems happen, something has gone wrong with how all of it has been implemented. RFID works fine in many other applications, but they are doing it 'back to front' with automotive and it is just too easy to hack. I am not even sure it has been for features people really want. Remotely opening the car before you get in it has convenience value but we got in trouble with that.
Wasn't Tesla basically a Toyota until recently? The big dash computer was just a car equivalent of Nest thermostat, at least when I looked at it, it could have been an Arduino with a key cylinder and the car would work fine.
You can't hotwire a Tesla, but the manufacturer can, and can stop you from driving it too. I am not sure on the whole I prefer that option.
All the other new car seem like they are coming with integrated modems also, so I presume they have the same capability of stopping you from driving the car too.
Hack-a-Toyotathon.
The big security issue is that cars should not phone home, Toyota please patch
Pwn2own?
Crafted by Rajat
Source Code